[Freeipa-users] sudo and NIS domain name
Dean Hunter
deanhunter at comcast.net
Fri May 9 21:55:51 UTC 2014
On Fri, 2014-05-09 at 10:28 +0200, Lukas Slebodnik wrote:
> On (08/05/14 19:46), Dean Hunter wrote:
> >On Mon, 2014-05-05 at 10:02 -0400, Rob Crittenden wrote:
> >
> >> Dean Hunter wrote:
> >> > On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote:
> >> >> On (03/05/14 10:39), Dean Hunter wrote:
> >> >> >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote:
> >> >> >
> >> >> >> On (01/05/14 15:53), Dean Hunter wrote:
> >> >> >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote:
> >> >> >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote:
> >> >> >> >>
> >> >> >> >> >
> >> >> >> >> > I just noticed that I had been incorrectly setting the NIS domain
> >> >> >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to
> >> >> >> >> > be successfully retrieving and using sudo rules from FreeIPA. Is
> >> >> >> >> > sudo still using NIS-style netgroups? Is there still a requirement
> >> >> >> >> > to set the NIS domain name?
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> I think NIS domain is needed for netgroups. If you are not using
> >> >> >> >> netgroups in the sudo rules but just user groups you should be fine.
> >> >> >> >> Is this the case with you?
> >> >> >> >> If not please provide the logs and config.
> >> >> >> >>
> >> >> >> >
> >> >> >> >I am not aware of using netgroups, either the IPA object or any other
> >> >> >> >kind. I just remember that when I was first configuring sudo to
> >> >> >> >retrieve rules from IPA it would not work until I set nisdomainname
> >> >> >> >in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the
> >> >> >> >manual:
> >> >> >> >
> >> >> >> >
> >> >> >> > Even though sudo uses NIS-style netgroups, it is not necessary
> >> >> >> > to have a NIS server installed. Netgroups require that a NIS
> >> >> >> > domain be named in their configuration, so sudo requires that a
> >> >> >> > NIS domain be named for netgroups. However, that NIS domain does
> >> >> >> > not actually need to exist.
> >> >> >> >
> >> >> >> >
> >> >> >> >With Fedora 20 I can no longer find the emulation of rc.local that
> >> >> >> >existed in Fedora 19. I did find fedora-domainname.service and started
> >> >> >> >and enabled it but neglected to configure /etc/sysconfig/network. Yet
> >> >> >> >IPA sudo rules appear to work.
> >> >> >> >
> >> >> >> Hope It helps you
> >> >> >>http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html
> >> >> >>
> >> >> >> LS
> >> >> >
> >> >> >
> >> >> >Thank you. Now that you point it out, I remember that this thread is
> >> >> >where I first learned about fedora-domainname.service. I see:
> >> >> >
> >> >> > You would also need to set NIS domain name, otherwise SUDO will
> >> >> > not correctly recognize SUDO rules targeted on host groups,
> >> >> ^^^^^^^^^^^^^^
> >> >> This is important part
> >> >> > instead of hosts:
> >> >> >
> >> >> >which explains when sudo would need the NIS domain name. Since my sudo
> >> >> >rules address user groups I guess there is no requirement for NIS domain
> >> >> >name since they are working just fine:
> >> >> Your sudo rules use host groups.
> >> >>
> >> >> >
> >> >> > ipa sudorule-add desktop-admins --desc "Desktop
> >> >> > Administrators"
> >> >> > ipa sudorule-mod desktop-admins --cmdcat all
> >> >> > ipa sudorule-add-host desktop-admins --hostgroups desktops
> >> >> > ipa sudorule-add-option desktop-admins --sudooption "!
> >> >> > authenticate"
> >> >> > ipa sudorule-add-runasuser desktop-admins --users root
> >> >> > ipa sudorule-add-runasgroup desktop-admins --groups root
> >> >> > ipa sudorule-add-user desktop-admins --groups
> >> >> > desktop-admins
> >> >> >
> >> >> > ipa sudorule-add server-admins --desc "Server
> >> >> > Administrators"
> >> >> > ipa sudorule-mod server-admins --cmdcat all
> >> >> > ipa sudorule-add-host server-admins --hostgroups servers
> >> >> hostgroups are reason why you need to configure NIS domain name.
> >> >> hostgroups are also available as netgroups in compat tree and sudo reads
> >> >> information from netgroups.
> >> >>
> >> >> > ipa sudorule-add-option server-admins --sudooption "!
> >> >> > authenticate"
> >> >> > ipa sudorule-add-runasuser server-admins --users root
> >> >> > ipa sudorule-add-runasgroup server-admins --groups root
> >> >> > ipa sudorule-add-user server-admins --groups
> >> >> > server-admins
> >> >> >
> >> >> >However, I was really asking whether there had been a change in
> >> >> >sssd/sudo behavior as it was my recollection that my sudo rules did not
> >> >> >work at all in early IPA 3.n releases unless the NIS domain name was
> >> >> >configured.
> >> >> >
> >> >>
> >> >> LS
> >> >
> >> > I hear you and that is what I expected. However, the actual behavior
> >> > seems to have changed with 3.3.4 and now 3.3.5.
> >> >
> >> > [dean at desktop <mailto:dean at desktop> ~]$ domainname --nis
> >> > domainname: Local domain name not set
> >> >
> >> > [dean at desktop <mailto:dean at desktop> ~]$ sudo -l
> >> > Matching Defaults entries for dean on desktop:
> >> > requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME
> >> > HISTSIZE INPUTRC
> >> > KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
> >> > LC_ADDRESS
> >> > LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
> >> > LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
> >> > LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
> >> > _XKB_CHARSET
> >> > XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
> >> >
> >> > User dean may run the following commands on desktop:
> >> > (root : root) NOPASSWD: ALL
> >> >
> >> > [dean at desktop <mailto:dean at desktop> ~]$
> >> >
> >> > I think this is a good thing. I would just like to confirm that this is
> >> > the new expected behavior and that I have not done something wrong.
> >>
> >> We'd need to see your sudo rules to know for sure.
> >>
> >> I don't think anything changed in the IPA code to change this behavior,
> >> but we herd a lot of cats so something in another package may be different.
> >>
> >> rob
> >
> >
> >The sudo rules are listed above.
> >
> FYI
> [root ~]# ipa sudorule-add-host --help
> Usage: ipa [global-options] sudorule-add-host SUDORULE-NAME [options]
>
> Add hosts and hostgroups affected by Sudo Rule.
> Options:
> -h, --help show this help message and exit
> --all Retrieve and print all attributes from the server. Affects
> command output.
> //will work without nisdomainname configured
>
> --raw Print entries as stored on the server. Only affects output
> format.
> --hosts=STR hosts to add
> //will work without nisdomainname configured
>
> --hostgroups=STR host groups to add
> //will *NOT* work without nisdomainname configured
>
> LS
Lukas and Rob,
I thank you for your responses. I believe I understand what you are
trying to say. As near as I understand it, I AM using host groups in my
sudo rules. I do NOT have an NIS domain name configured. Yet, the
rules are working.
ipa group-add desktop-admins --desc "Desktop
Administrators"
ipa group-add server-admins --desc "Server
Administrators"
ipa group-add-member desktop-admins --users dean
ipa group-add-member server-admins --users dean
ipa hostgroup-add desktops --desc Desktops
ipa hostgroup-add servers --desc Servers
ipa hostgroup-add-member desktops --hosts
desktop.hunter.org
ipa hostgroup-add-member desktops --hosts
test.hunter.org
ipa hostgroup-add-member servers --hosts
host.hunter.org
ipa hostgroup-add-member servers --hosts
ipa.hunter.org
ipa hostgroup-add-member servers --hosts
lamp.hunter.org
ipa sudorule-add desktop-admins --desc "Desktop
Administrators"
ipa sudorule-mod desktop-admins --cmdcat all
ipa sudorule-add-host desktop-admins --hostgroups desktops
ipa sudorule-add-option desktop-admins --sudooption "!
authenticate"
ipa sudorule-add-runasuser desktop-admins --users root
ipa sudorule-add-runasgroup desktop-admins --groups root
ipa sudorule-add-user desktop-admins --groups
desktop-admins
ipa sudorule-add server-admins --desc "Server
Administrators"
ipa sudorule-mod server-admins --cmdcat all
ipa sudorule-add-host server-admins --hostgroups servers
ipa sudorule-add-option server-admins --sudooption "!
authenticate"
ipa sudorule-add-runasuser server-admins --users root
ipa sudorule-add-runasgroup server-admins --groups root
ipa sudorule-add-user server-admins --groups
server-admins
[dean at host ~]$ domainname --nis
domainname: Local domain name not set
[dean at host ~]$ sudo -l
Matching Defaults entries for dean on host:
requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE INPUTRC
KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER
LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET
XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User dean may run the following commands on host:
(root : root) NOPASSWD: ALL
[dean at host ~]$
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140509/4c4c2865/attachment.htm>
More information about the Freeipa-users
mailing list